Subject: uses HTTP_X_FORWARDED_FOR for authentication (and other security holes)
Package: chetcpasswd
Version: 2.3.3-1
Severity: critical
Tags: security
chetpasswd uses the HTTP_X_FORWARDED_FOR for authentication purposes:
if(getenv("HTTP_X_FORWARDED_FOR"))
sprintf(IP,"%s",getenv("HTTP_X_FORWARDED_FOR"));
else sprintf(IP,"%s",getenv("REMOTE_ADDR"));
and then goes on to check IP against
/etc/chetcpasswd/chetcpasswd.allow.
Obviously, HTTP_X_FORWARDED_FOR is not a trusted variable, and can be
spoofed by any scriptkiddie who can read the man page of wget. Simply
spoofing it to 127.0.0.1 will give access to the password changing app
from any remote host.
Furthermore, this cgi script doesn't seem to implement any rate
limiting for the passwd checks, thereby allowing for a dictionary
attack via http. Also, it seems to give different a error message if
the user is not found then if the entered password is wrong, thereby
exposing the names of user accounts to external attackers.
There are also issues with the package not using pam, and its
circumventing of any checks the admin might have in place.
I really think this package needs a security audit.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.17.8
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
